Chris Gray schrieb:
> Here's a fragment from a table that allows sorting by clicking the header
> in a dtml method named 'displayTable':
> <table>
> <tr>
> <th><a href="displayTable?sort_key=ID+desc">ID</a></th>
> <th><a href="displayTable?sort_key=product">Product</a>
> </tr>
> <dtml-in "SQLSelectQuery(sort_key=REQUEST['sort_key'])">
> Then feed sort_key into your SQLSelectQuery to use in an ORDER BY clause.
> select * from table order by <dtml-var sort_key>
You schould never do so. Unquoted variables in SQL-statements are high
security risc if they came from REQUEST. As an example someone can
send a string which ends a statement and begins a new one, like drop
Instead reference only an index of a list with the columns to sort.

oder by <dtml-sqlvar orderindex type=int> is also a solution.
The index ranges from 1 to number of returned values.


> You can change the properties of an object in DTML by callling its
> manage_changeProperties method, for example:
> <dtml-call expr="foo.manage_changeProperties(bar='New Value')">
> will changes the value of foo's bar property to 'New Value'.
> There are several ways of getting the effect of assigning variables in
> DTML, but it really isn't meant to have a direct way of declaring and
> assigning variables.  The way you're trying to use an object's properties
> will, I believe, cause problems in the case of simultaneous users, because
> it will act as a global variable.
> Cheers,
> Chris
> On Mon, 4 Dec 2000, John Cappelletti wrote:
> >
> > I am listing the results of a database query using dtml-in. I'd like to
> > be able to give the user the option to re-sort the list by clicking on a
> > column header. ok... I'm starting small with a form and radio buttons to
> > allow the user to specify the sort.
> >
> > I've created what I believe to be a global variable for this page using
> > the property screen. The variable is to capture the column name for the
> > sort. My simple question is how do I assign a value to this variable
> > inside of the dtml method! I'm not finding a description of variable
> > assignment in the documentation (yeah, I must be missing the obvious).
> >
> > Any pointers would be appreciated.  (also, know if anyone has
> > implemented interactive sort by column header?)

Zope maillist  -  [EMAIL PROTECTED]
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to